Encrypt Everything – Mobile Devices

As part of an ongoing series, we’re helping to explain the various steps to encrypt and protect the your most valuable data. Follow along each week for practical privacy how-tos.

Last week we introduced encrypting your primary machine’s hard disk but that is only a first step in the goal of protecting your data. Your my computer is only one of the places that you generate and interaction with your data. This week we will address protecting your mobile device.

Often your computer lives in a fairly secure location, making it difficult to access for a potential attacker. Your mobile device, on the other hand, goes wherever you go. In fact, a recent Gallup poll showed that 81% of smartphone owners had their phone on them “almost all the time during waking hours.” Meaning there far more opportunities for your mobile device to be left behind or for an attacker to make off with your sensitive photographs, email, and your entire contact list. If you use contactless payments, then your phone doubles as a newly-stolen credit card, too.

Why It Matters

As with your primary machine, the idea behind encrypting your mobile device is to protect the data at rest it carries. This means if someone attempts to extract your phone’s data directly, nothing of use can be retrieved.

Conveniently, encryption is often enabled on new mobile devices by default. If you’re unsure whether or not your device is protected, walking through the setup is trivial and will give you valuable peace of mind. Trust me, it’s worth the seconds you will spend checking.

Getting Started

Android

Open Settings

Tap on Security

Look under Encryption – if you see “Encrypted,” then you’re done!

If your device isn’t already encrypted, first set up a device PIN

Finally, tap on Encrypt Phone to enable encryption

Yes, it really is that simple.

When encrypting for the first time (i.e. if your device wasn’t encrypted by default at first boot), the phone will use a lot of power. Plug it into the wall and let it do its magic for a bit. Once everything is protected, you can change your PIN if you need to – this will change an encrypted master key, but won’t require re-encrypting the entire device.

iOS

Open Settings

Tap on Touch ID & Passcode

Make sure Passcode is enabled

Once your Passcode is set, scroll to the bottom of the Touch ID & Passcode screen

Ensure Data Protection is enabled

Just like Android, it really is that simple.

You can optionally enable data erasure for the device as well, meaning that any attacker trying to brute force your passcode will be out of luck after 10 attempts. This may or may not be overkill for your particular use cases, but does provide a higher level of protection for the data on a lost or stolen device.

Under the Hood

Android

For full disk encryption, your device creates a random master key that is encrypted with a default password (and a random salt) and stored when it first boots. Once you set a device PIN or password, this master key is then re-encrypted. None of your data changes, just the stored master key on the device.

When the phone is restarted, none of your user data is loaded in plain text. The device can’t read the encrypted partition at all, so contacts, emails, etc. stay completely protected. Once you unlock the device by entering your PIN or password, Android decrypts the master key and uses it to transparently decrypt your user data.

Everything you read and write once the device is unlocked is still encrypted at rest but passes through to you the user transparently. If you turn off or restart the device, it will again enter its locked state and the data will be unusable to anyone else.

With file-based encryption, your device creates a different key for various files and protects them independently from other user data. This feature is what allows the device to function (albeit minimally) while other user data is still locked – receiving messages/calls, placing emergency calls, loading a lock screen, etc.

iOS

Mobile Apple devices combine strong software security with distinct hardware features for even stronger protection of user information. Their Secure Enclave is a separate processor that manages all of the device’s cryptographic operations and keys. The devices are built in such a way that, even while encrypted, they can still respond to system events like phone calls and text messages but simultaneously protect user data until it’s unlocked.

Every file is given its own encryption key, which is in turn encrypted by a different system-wide key depending on the file’s intended usage. The wrapped file keys are decrypted by the Secure Enclave and never exposed directly to the application processor.

Setting a passcode prevents access to certain data until after a device is first unlocked. Booting the device will allow it to function, but data like WiFi passwords, email accounts, social network tokens, and bookmarks are only available after the device has been unlocked at least once.

What’s Next

Ultimately, these are the only steps you need to secure the data on your phone. However, to provide the best security for your data, you should use a secure PIN or pattern to unlock your device rather than your fingerprint. Despite still using strong encryption to protect your data, but fingerprint unlock is actually less secure than a traditional password.

Fingerprints can be compelled by force of law, might already be on file somewhere to begin with, and can even be 3D printed from high-resolution photographs. The compromise of your fingerprint is far more significant than that of an unlock PIN. Make sure the key you use to unlock your device can be changed in case someone steals it.

Now that your mobile device and your primary computer are encrypted, it’s time to take care of your email. Check in next week for Encrypt Everything – Email Edition.